It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
SCI/TECH: New DNS Attack Installs Spyware, Steals Information
page: 10
share:
Recently, a new method of hijacking an internet user's URL request for a legitimate website and re-directing it to a maliciously designed site that
installs spyware has surfaced. Using a previously discovered flaw in some corporate internet security appliances, someone was able to take requests
for sites, including Google and eBay, and point them toward servers that take advantage of holes in web browser security to install spyware which can
steal valuable personal data.
Phishers pushing spyware through DNS holes
The warning follows reports Friday that some people's computers were being redirected from sites such as eBay and Google to malicious Web servers that attempted to install spyware. The compromises affected 30 to 40 networks, according to Jason Lam, incident handler for the Internet Storm Centre, which tracks network threats.
"It's hard to tell how many people were impacted by this, but it wasn't very widespread," Lam said Tuesday.
The attacks compromised DNS servers to replace the numeric addresses of popular Web sites with the addresses of malicious sites run by the attackers. Known as DNS poisoning, the scheme redirects Internet users to bogus sites where they may be asked for sensitive information or have spyware installed on their PCs.
Please visit the link provided for the complete story.
This particular attack appears to have been directed at a number of corporate security appliances distributed by Symantec. The vulnerability that was exploited in some cases had been identified in June 2004 and hotfixes were issued, but it has not been established if the compromised DNS caches were on un-patched machines or if the patch that was issued failed to fully correct the problem.
More disturbing are the reports of DNS cache poisoning from organizations that do not use Symantec products. With this news, it appears that there may be a broader attack in the works.
The Internet Storm Center has noted that those who were victims of these URL re-directs ran the risk of having the ABX Toolbar installed using an ActiveX control flaw that was fixed in Service Pack 2 for Microsoft Windows XP. Not much is known about the nature of this spyware, but as information comes out it will be shared here.
If you think you have been affected by the ABX Toolbar exploit, the following removal instructions were provided by ISC.
The above was taken from 2005-03-07 ISC Diary
DNS Hijacking attacks, while still not common, pose a growing threat to internet users. The practice of Phishing to steal user data currently relies on tricking someone into visiting a site with a spoofed address using a link in email, instant message, etc. This new technique is particularly devious because it can use the actual address of a site to take unsuspecting consumers to a fake page, thus creating a sense of security that may make them more likely to reveal usernames, passwords, and account information. This method could be virtually undetectable to most internet users.
This could be the new face of computer crime since the target of the actual attack in not individual computers, but larger corporate services that affect thousands of consumers.
Please see the ATSNN Exclusive report on the subject of DNS Hijacking listed below for more details on the potential of this threat.
Related ATS Discussions
EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster
Related News Links
Global DNS cache poisoning attack?; Update
Possible Domain Poisoning Underway
Symantec Gateway Security Products DNS Cache Poisoning Vulnerability
Symantec Hotfix Information
[edit on 9-3-2005 by Spectre]
Phishers pushing spyware through DNS holes
The warning follows reports Friday that some people's computers were being redirected from sites such as eBay and Google to malicious Web servers that attempted to install spyware. The compromises affected 30 to 40 networks, according to Jason Lam, incident handler for the Internet Storm Centre, which tracks network threats.
"It's hard to tell how many people were impacted by this, but it wasn't very widespread," Lam said Tuesday.
The attacks compromised DNS servers to replace the numeric addresses of popular Web sites with the addresses of malicious sites run by the attackers. Known as DNS poisoning, the scheme redirects Internet users to bogus sites where they may be asked for sensitive information or have spyware installed on their PCs.
Please visit the link provided for the complete story.
This particular attack appears to have been directed at a number of corporate security appliances distributed by Symantec. The vulnerability that was exploited in some cases had been identified in June 2004 and hotfixes were issued, but it has not been established if the compromised DNS caches were on un-patched machines or if the patch that was issued failed to fully correct the problem.
More disturbing are the reports of DNS cache poisoning from organizations that do not use Symantec products. With this news, it appears that there may be a broader attack in the works.
The Internet Storm Center has noted that those who were victims of these URL re-directs ran the risk of having the ABX Toolbar installed using an ActiveX control flaw that was fixed in Service Pack 2 for Microsoft Windows XP. Not much is known about the nature of this spyware, but as information comes out it will be shared here.
If you think you have been affected by the ABX Toolbar exploit, the following removal instructions were provided by ISC.
Run Regedit and search for "abx" (do not include quotes). Remove all references containing "abx" from the registry. There are at least two Keys in the registry that contain several Values related to this spyware. On my test workstation, one of them was: HKCU\software\xbtb01186\toolbar.
I am not sure, but the "xbtb01186" may be a randomly generated Key, but within that Key will be several Values with "abx" references. Remove the entire Key starting at "xbtb01186".
You will need to delete two files in the "Download Program Files" directory under your Windows directory. In Windows XP they will be under c:\windows\Download Program Files. In NT they will be under c:\winnt\Download Program Files. The file names are:
abx_search.dll
abx_search.inf
The "Download Program Files" directory stores the ActiveX Cache used when starting up Internet Explorer. This directory may be hidden, so make sure your Explorer settings allow you to view hidden files.
The above was taken from 2005-03-07 ISC Diary
DNS Hijacking attacks, while still not common, pose a growing threat to internet users. The practice of Phishing to steal user data currently relies on tricking someone into visiting a site with a spoofed address using a link in email, instant message, etc. This new technique is particularly devious because it can use the actual address of a site to take unsuspecting consumers to a fake page, thus creating a sense of security that may make them more likely to reveal usernames, passwords, and account information. This method could be virtually undetectable to most internet users.
This could be the new face of computer crime since the target of the actual attack in not individual computers, but larger corporate services that affect thousands of consumers.
Please see the ATSNN Exclusive report on the subject of DNS Hijacking listed below for more details on the potential of this threat.
Related ATS Discussions
EXCLUSIVE: Med Network DNS Hijack, A Web Exploit That May Spell Cyber-Disaster
Related News Links
Global DNS cache poisoning attack?; Update
Possible Domain Poisoning Underway
Symantec Gateway Security Products DNS Cache Poisoning Vulnerability
Symantec Hotfix Information
[edit on 9-3-2005 by Spectre]
new topics
-
Armadillos moving north
Fragile Earth: 2 minutes ago -
Million dollar idea, and good for your feelz!
Rant: 27 minutes ago -
Is there a dependence on the number of children in the family and its well-being?
New World Order: 36 minutes ago -
Barron Trump has prior commitments?
Mainstream News: 5 hours ago -
Is Taco Bell Satanic?
Education and Media: 9 hours ago -
Scientists Find 7 potential Dyson spheres after Scanning 5 million Objects
Space Exploration: 10 hours ago
0